April 10, 2026

The CogDef Brief discusses various cybersecurity incidents, including the disruption of a Russian DNS hijacking campaign by the DOJ, a North Korean supply chain attack on the Axios npm package, and critical vulnerabilities in Fortinet, alongside espionage activities and threats posed by an emerging Russia-China information alliance.

April 10, 2026

Cyber Operations

Russia's APT28 Router Hijacking Campaign Disrupted by DOJ. The U.S. Department of Justice announced a court-authorized disruption of a DNS hijacking network operated by GRU Military Unit 26165 (APT28/Fancy Bear). The campaign, codenamed FrostArmada by Lumen's Black Lotus Labs, compromised between 18,000 and 40,000 TP-Link and MikroTik routers across 120 countries by exploiting CVE-2023-50224, an authentication bypass vulnerability. Compromised routers were reconfigured to redirect DNS requests to GRU-controlled servers, enabling passive credential harvesting. At its peak in December 2025, over 18,000 unique IPs were communicating with APT28 infrastructure. Targets included foreign affairs ministries, law enforcement, and cloud service providers across North Africa, Central America, Southeast Asia, and Europe. The FBI's Operation Masquerade remotely reset DNS settings on U.S.-based compromised routers. Germany's domestic intelligence agency issued a parallel warning about TP-Link exploitation targeting military and critical infrastructure, and the UK's NCSC published a joint advisory attributing the campaign to APT28.

North Korean Supply Chain Attack Compromises Axios npm Package. Google Threat Intelligence attributed a supply chain compromise of the widely used Axios npm package to UNC1069, a financially motivated North Korean threat actor. On March 31, a social engineering campaign targeting the Axios maintainer resulted in the injection of a malicious dependency ("plain-crypto-js") into versions 1.14.1 and 0.30.4. The obfuscated dropper deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Although the malicious versions were live for under three hours, the Axios package typically receives over 100 million weekly downloads. Separately, researchers identified over 1,700 malicious packages linked to the broader North Korean "Contagious Interview" campaign spread across npm, PyPI, Go, Rust, and Packagist ecosystems since January 2025.

Critical Fortinet Vulnerability Exploited in the Wild. Fortinet released out-of-band patches for CVE-2026-35616 (CVSS 9.1), a pre-authentication API access bypass in FortiClient EMS that is being actively exploited. Organizations running FortiClient EMS should patch immediately.

Espionage

Iran Claims Dismantlement of U.S.-Israeli Spy Network. Iranian intelligence forces announced the seizure of 45 U.S.- and Israeli-built espionage devices being smuggled through the country's northwestern border in West Azarbaijan province. Eight separatist militants were arrested, four of whom had allegedly established a terror cell in Piranshahr and were sharing coordinates of Iranian military installations with Israeli intelligence. The claim follows a broader pattern of Iranian counter-espionage announcements amid escalating tensions with Israel and the United States.

CIA Elevated Cyber Espionage Division to Mission Center Status. The CIA's Center for Cyber Intelligence was promoted to a full mission center in October 2025 under Director Ratcliffe, reflecting the growing centrality of cyber operations to U.S. intelligence collection and disruption capabilities. The elevation provides the division with additional resources and organizational prominence.

Information Operations & Foreign Influence

Russia-China Information Alliance Poses Threat to 2026 Electoral Cycle. A new analysis from ISPI describes an emerging Sino-Russian "axis of disinformation" in which Moscow and Beijing are formalizing coordination on narrative control, digital regulation, and technological leverage within the media domain. The report warns that this coordination threatens the integrity of European and allied electoral processes heading into the 2026 cycle.

2026 Annual Threat Assessment Highlights Cyber and Influence Threats. The ODNI's 2026 Annual Threat Assessment, released March 18, assessed that China, Russia, Iran, and North Korea will continue to target U.S. government and private-sector networks and critical infrastructure for intelligence collection, disruption options, and financial gain. The assessment also highlighted the expanding use of AI in disinformation campaigns, with adversaries leveraging generative AI to amplify volume over credibility.

AI-Orchestrated Espionage Campaign Disclosed. Anthropic disclosed a campaign assessed with high confidence to be Chinese state-sponsored, in which threat actors manipulated AI agentic capabilities to attempt infiltration of roughly thirty global targets. The operation represents one of the first publicly reported cases of AI being used not merely as an advisory tool but as an autonomous executor of cyber-espionage tradecraft.

Subscribe to CogDef Brief

to get updates in Reader, RSS, or via Bluesky Feed

April 11, 2026

April 7, 2026

cogdef